<html>
<head><meta charset="utf-8"><title>clap vulnerability? · wg-secure-code · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/index.html">wg-secure-code</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/clap.20vulnerability.3F.html">clap vulnerability?</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="179762102"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/clap%20vulnerability%3F/near/179762102" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/clap.20vulnerability.3F.html#179762102">(Nov 03 2019 at 20:28)</a>:</h4>
<p>I think Clap has an exploitable vulnerability: <a href="https://github.com/clap-rs/clap/issues/1594" target="_blank" title="https://github.com/clap-rs/clap/issues/1594">https://github.com/clap-rs/clap/issues/1594</a><br>
They basically transmute arbitrary bytes into <code>OsStr</code> which on Windows is WTF-8, so they violate the validity invariant for it. I wonder if there are actually any functions using WTF-8 invariants to avoid bounds checks?</p>



<a name="179762116"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/clap%20vulnerability%3F/near/179762116" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/clap.20vulnerability.3F.html#179762116">(Nov 03 2019 at 20:29)</a>:</h4>
<p>oof</p>



<a name="179762127"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/clap%20vulnerability%3F/near/179762127" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/clap.20vulnerability.3F.html#179762127">(Nov 03 2019 at 20:29)</a>:</h4>
<p><a href="https://github.com/clap-rs/clap/blob/85f820fa04959be2acef9c831f98f1093c67f987/src/util/osstringext.rs#L23-L30" target="_blank" title="https://github.com/clap-rs/clap/blob/85f820fa04959be2acef9c831f98f1093c67f987/src/util/osstringext.rs#L23-L30">https://github.com/clap-rs/clap/blob/85f820fa04959be2acef9c831f98f1093c67f987/src/util/osstringext.rs#L23-L30</a> - fixed link</p>



<a name="179762871"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/clap%20vulnerability%3F/near/179762871" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/clap.20vulnerability.3F.html#179762871">(Nov 03 2019 at 20:47)</a>:</h4>
<p>The good news is that the crate author is very cooperative</p>



<a name="179763377"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/clap%20vulnerability%3F/near/179763377" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/clap.20vulnerability.3F.html#179763377">(Nov 03 2019 at 21:01)</a>:</h4>
<p>Lots of functions in WTF-8 implementation do "find next surrogate, pass everything up to that to str::from_utf8_unchecked" - so this should allow constructing<code>&amp;str</code> with invalid UTF-8</p>



<a name="181752153"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/clap%20vulnerability%3F/near/181752153" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> DPC <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/clap.20vulnerability.3F.html#181752153">(Nov 24 2019 at 09:02)</a>:</h4>
<p>Hi <span class="user-mention" data-user-id="127617">@Shnatsel</span> . I'm one of the maintainers of clap. If you need anything feel free to ping me</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>